Selected by five of our columnists, these products step beyond the norm with interesting solutions for today's enterprise network problems.
Swinging into wireless with ease
Trapeze Networks' Trapeze Mobility System
Ready or not, wireless LANs are popping up in corporations. IT brings some in through the front door, while users tiptoe others in through the back door. Either way, WLANs pose unique management challenges.
Coverage, integration with wired networks, security and detection of rogue access points require thoughtful management. Fortunately, companies such as Airespace, Aruba Wireless Networks, Bandspeed, Bluesocket, ReefEdge, Trapeze and Vernier Networks stepped out in 2003 with enterprise-grade WLANs. Of these, Trapeze stands out for its comprehensive offering.
Trapeze Mobility System does for WLANs what structured wiring systems do for wired LANs. Thus, Trapeze calls its solution "structured air." But that's only part of the story: Trapeze takes wire, glass and wireless media and creates a network with integrated mobility.
Trapeze Mobility System is for companies that see mobility as an essential component of their network strategy. To reap the full benefits, the corporation must standardize on Trapeze's access points. Although Trapeze offers a starter kit, the payoff is greatest for customers with diverse applications, a large number of mobile users or both.
The system consists of four major elements: RingMaster, Mobility System Software, Mobility Exchange and Mobility Points. The RingMaster tool suite is for planning, configuring and optimizing the WLAN. The process begins by importing AutoCAD (or other) floor plans. A software wizard calculates the number and locations of Trapeze Mobility Points (access points) and Mobility Exchanges (switches) to be installed. Once these are in place, RingMaster uploads their configurations and verifies coverage. RingMaster continues to gather statistics, detect rogue access points and plan changes from that day forward.
Mobility Exchanges support what Trapeze calls "identity-based networking." Instead of linking users to physical ports for authentication, security and management, Trapeze focuses on user identities and transfers user attributes from one Mobility Exchange to another as the user roams the network. With other systems, users must re-log on as they roam; with Trapeze, users log on once. The Mobility Exchanges also offload many RADIUS/AAA server tasks for maximum responsiveness and scalability.
Mobility Points avoid the extremes of "thin" and "fat" access points to optimize security and guarantee availability at lower total cost of ownership. For example, they feature redundant data and power-over-Ethernet ports. Thus, each Mobility Point can be associated with two Mobility Exchanges. While other systems require 100% access point redundancy to guarantee availability, Trapeze can accomplish the same with just 25% access point redundancy.
Trapeze Mobility System has a nice security feature too. It continuously monitors the airwaves, alerting IT when it detects rogue access points.
One drawback is that the Trapeze Mobility System forces replacement of pre-existing access points. Still, for companies with big mobility plans, that's a small price to pay for a qualitatively more secure, scalable and manageable system. Pricing for the system averages about $250 per user, assuming between 10 and 15 users per access point, with 450 to 6,000 users total. This price does not include user adapter cards.
Brodsky also likes Orthogon Systems' OS-Gemini product for non-line-of-sight wireless applications. Read more.
Brodsky is president of Datacomm Research in Chesterfield,Mo. Reach him at ibrodsky@datacommresearch.com.
A one-two punch for securing e-mail and instant messages
Sigaba's Secure Email 4.0/Secure Instant Messaging 1.2
Picking a single product to represent an entire year is always a challenge. Of course the solution should have great technology and features. But I look for more. Specifically, it must illustrate a trend - better still, multiple trends - that will be significant this year. It has to fill a clearly defined market gap. And it should garner rave reviews from IT executives.
My pick for this year is Sigaba's Secure Email 4.0/Secure Instant Messaging 1.2, introduced last October. This product combination provides privacy, auditing and management for electronic communications, including e-mail and instant messaging, and it addresses three key trends for 2004.
First is the focus on security. IT executives increasingly need to secure, track and manage all forms of communication. Thanks to legislation such as the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley and Sarbanes-Oxley, the penalties for data tampering (or working unknowingly with tampered data) now include jail time for senior executives. Compliance with this legislation is critical - and will continue to be for years to come.
Second is the emergence of IM in the enterprise. In a recent Nemertes Research benchmark, 90% of IT executives reported using IM at work. Increasingly, IM is an IT-supported initiative: 37% of IT executives say their companies are using enterprise-class IM, while another 43% say they will be doing so within the next six to 24 months.
Last comes the growing requirement for encryption key management that can be controlled and audited centrally but administered in a distributed fashion. This is particularly necessary when a group at headquarters is responsible for guaranteeing the accuracy of data exchanged among far-flung sites. As the chief security officer of a major global manufacturing firm tells me, an effective messaging encryption tool has been his Holy Grail for the past three years. His major challenge is being able to manage keys at a regional level without the knowledge of the local general managers (which might be necessary, for example, if one of those individuals is suspected of unethical behavior).
Fortunately for him, the Sigaba platform handles authentication, authorization, distribution of encryption keys, and signing and non-repudiation of messages. And, it lets security managers maintain a detailed trail of user actions for auditing purposes.
Users are equipped with a variety of clients: an IM desktop, IM for browsers and e-mail plug-ins that provide a "Send securely" option to 20 of the top e-mail packages. These clients integrate into a range of servers, including a presence server, an IM server and the e-mail gateway server. Features such as virus scanning, content filtering and policy management functions run on these servers. Most importantly, IT executives can manage the software locally and globally, as needed.
Users who have rolled out the Sigaba software love it (in fact, I first learned about this product from an IT executive). An entry-level system starts at about $25,000 and runs on AIX, Solaris, Linux, and Windows servers.
Johnson is president and chief research officer at Nemertes Research. She can be reached at johna@nemertes.com.
Adding a jolt to PKI-based messaging
Voltage Security's Voltage Security Platform (Voltage SecurePolicy Suite, Voltage SecureMail and Voltage SecureFile)
Secure messaging still hasn't broken into the enterprise mainstream, in spite of considerable vendor innovation over the past several years. Among deployed secure-messaging systems, public-key-infrastructure-based solutions predominate.
However, PKI-based secure-messaging products are still too complex to set up and administer within and among diverse organizations. Automatic and transparent handling of key issuance, management and retrieval, on demand, would help considerably. Identity-based encryption (IBE), implemented in Voltage Security's Voltage Security Platform product family, is a breakthrough PKI approach that does this.
The fundamental innovation behind Voltage's IBE is that a message sender doesn't need to know whether an intended recipient has a public-key certificate. Users needn't ever obtain an X.509 certificate to participate in IBE-based secure communications. Instead, people can use any arbitrary character string - such as their e-mail address - as their public key. Consequently, public-key issuance becomes an implicit, latent and automatic component of e-mail account setup. Any recipient can simply assume a public key based on identity information retrieved from existing directories.
Under this IBE-based architecture, companies don't need infrastructure components such as certificate authorities and repositories. The sender simply addresses and sends the secure message to recipients as he normally would, using the recipient's e-mail address. The sender's e-mail client uses the recipient's e-mail address as the public key when encrypting or signing messages bound for the recipient. The Voltage server-side infrastructure - the SecurePolicy Suite or hosted SecurePolicy Service - takes care of binding IBE-based public keys to freshly minted, short-lived private keys, and distributing private keys to recipients, on demand.
To read secure e-mail, the receiver requests a private key from the sender's SecurePolicy Suite (or the hosted Voltage SecurePolicy Service). The server-side infrastructure provisions plug-in software - Voltage SecureMail - to recipient desktops, and authenticates senders and recipients against existing directories.
Voltage's IBE approach simplifies key management. Other secure-messaging vendors surely will take note and attempt their own IBE-based solutions (an approach that has been around since the 1980s, but Voltage introduced the first commercial version last July).
However, Voltage doesn't appreciably simplify the configuration of secure-messaging environments. Users must have Voltage client software integrated with leading e-mail clients, including Microsoft Outlook. And it doesn't provide qualitatively superior secure-messaging features. Many of Voltage's other secure-messaging features - including short-lived private keys, server-side key revocation, and ad hoc enrollment and provisioning - can be found elsewhere.
Voltage SecurePolicy Suite costs $50,000 per server; SecureMail, $50 per user; and SecureFile, $20 per user. Clients are available in packages ranging from 1,000 to 100,000 users, and in corporate volume discounts. The company also provides subscription pricing as an alternative.
Kobielus is a senior analyst in Alexandria, Va., with Burton Group. He can be reached at jkobielus@burtongroup.com.
Visual Networks' Visual UpTime Select
Short of modems, thinking of a less-innovative product than a DSU/CSU is tough. The sole innovation for the DSU/CSU market over the past 10 to 15 years has been to make these devices the independent reference point and measurement tool for troubleshooting and service-level agreement verification. So coming out with a "category breaker" in this space takes true innovation - even if that comes in the form of taking an old idea and adding new features.
This is exactly what market leader Visual has done with Visual UpTime Select. Not content to sit back and continue with a business-as-usual model, Visual raises the ante with this product by creating a pay-as-you-go model for advanced DSU/CSU functions.
The market for enhanced DSU/CSU products has always presented a dilemma for users. On the one hand, you can pay an increased price for the unit and have excellent network management capabilities. Or you can take your chances with a generic, run-of-the-mill unit and probably squeak by for less money. And while I've always advocated the former path, in these cash-strapped times many firms have chosen the latter route.
Now you can have your cake and eat it too. You can get enhanced functions by buying the base DSU unit and the software licenses, or you can buy the software licenses at a later date (from mid-2004). Using special code, you would be able to unlock the enhanced functions when you need them on a site-by-site basis. A basic T-1 unit costs $1,200, with the additional software functions ranging in price from $650 to $1,700 per site.
Let's suppose you're experiencing a problem in Albuquerque, N.M., for the first time in several years. With UpTime Select, you will have the option of purchasing a license to unlock the advanced capabilities only in Albuquerque to solve the problem at hand.
But, in the tradition of the famous Ginsu knife commercials, "But wait! There's more!" Two additional factors make Visual UpTime Select product even more interesting.
The first of these is the ability to do time travel. Let's say the problem in Albuquerque started on a Tuesday, but it didn't rise to the top of the trouble-ticket stack until Thursday. Even though you previously hadn't purchased the historical-analysis capabilities, UpTime Select has been tracking the problem all along. When you activate the software on Thursday, the stats from Tuesday are available to you.